Click here to get back home

How to set special folder permissions in a script?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to set special folder permissions in a script? Samuel R. Neff 05-18-2006
Posted by Samuel R. Neff on May 18, 2006, 10:02 am
Please log in for more thread options
We're having a problem with permissions being messed up when we deploy
a new version of our web application. We'd like to reset permissions
with a script--batch file or vbs.

How can we set the special permissions in a script? neither cacls.exe
or xcacls.exe seem to support setting them. Special permissions print
out fine but I don't see any way to replicate these settings:

c:\Inetpub\wwwroot SAM2003\IUSR_SAM2003:(OI)(CI)(DENY)(special
access:)

DELETE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES

SAM2003\IIS_WPG:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Users:(OI)(CI)R


It's the first one, SAM2003\IUSER_SAM2003 that's a problem. How do
you set those special permissions with cacls/xcacls?

Thanks,

Sam


Posted by Roger Abell [MVP] on May 18, 2006, 10:50 am
Please log in for more thread options
 Go to microsoft.com downloads and search for and obtain
xcacls.vbs as it examples all that can be done with vbs without
wrappering from the NetFx namespace and as far as I have
discovered is able to set any possible ACE. Use the builtin
syntax help, not just the external doc you will see available,
as the external does not quite have everything (at least the
last time I reviewed it).

>
> We're having a problem with permissions being messed up when we deploy
> a new version of our web application. We'd like to reset permissions
> with a script--batch file or vbs.
>
> How can we set the special permissions in a script? neither cacls.exe
> or xcacls.exe seem to support setting them. Special permissions print
> out fine but I don't see any way to replicate these settings:
>
> c:\Inetpub\wwwroot SAM2003\IUSR_SAM2003:(OI)(CI)(DENY)(special
> access:)
>
> DELETE
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_WRITE_EA
> FILE_DELETE_CHILD
> FILE_WRITE_ATTRIBUTES
>
> SAM2003\IIS_WPG:(OI)(CI)R
> NT AUTHORITY\SYSTEM:(OI)(CI)F
> BUILTIN\Administrators:(OI)(CI)F
> BUILTIN\Users:(OI)(CI)R
>
>
> It's the first one, SAM2003\IUSER_SAM2003 that's a problem. How do
> you set those special permissions with cacls/xcacls?
>
> Thanks,
>
> Sam
>



Posted by Samuel R. Neff on May 18, 2006, 3:27 pm
Please log in for more thread options

Thanks. I'd looked at the xcacls.vbs script but didn't realize how
the output from cacls related the the inputs required by xcacls.
You're right, it has everythin we need and we came up with a script
that was pretty straightforward for our needs.

Here's the guts of what we came up with:


ECHO Applying permissions to '%TARGET%'

SET IUSR=%COMPUTERNAME%\IUSR_%COMPUTERNAME%

ECHO Setting permissions on %TARGET%

SET GRANT=%COMPUTERNAME%\IIS_WPG:R
SET GRANT=%GRANT% "NT AUTHORITY\SYSTEM:F"
SET GRANT=%GRANT% BUILTIN\Administrators:F
SET GRANT=%GRANT% BUILTIN\Users:R

SET DENY=%IUSR%:A
SET DENY=%DENY% %IUSR%:3
SET DENY=%DENY% %IUSR%:2
SET DENY=%DENY% %IUSR%:5
SET DENY=%DENY% %IUSR%:7
SET DENY=%DENY% %IUSR%:9


cscript.exe xcacls.vbs %TARGET% /T /G %GRANT% /D %DENY%


Thanks again,

Sam



On Thu, 18 May 2006 07:50:52 -0700, "Roger Abell [MVP]"

>Go to microsoft.com downloads and search for and obtain
>xcacls.vbs as it examples all that can be done with vbs without
>wrappering from the NetFx namespace and as far as I have
>discovered is able to set any possible ACE. Use the builtin
>syntax help, not just the external doc you will see available,
>as the external does not quite have everything (at least the
>last time I reviewed it).
>


Similar ThreadsPosted
special permissions on folder don't work April 28, 2006, 1:54 am
What is the point to add special permissions for CREATOR/OWNER November 16, 2005, 4:07 pm
Script to List all users permissions November 28, 2005, 8:13 am
Logon Script set permissions on local directory September 7, 2005, 10:27 am
Tool/script to walk thru all folders/shares and identify non-inherited permissions January 5, 2007, 4:28 pm
Folder and Sub-folder permissions September 5, 2007, 5:01 pm
How to set folder permissions May 3, 2006, 9:08 am
Folder permissions help November 16, 2007, 10:19 am
Updating folder permissions November 9, 2005, 11:31 pm
NTFS , folder permissions ! Need Help January 4, 2006, 11:51 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap